Cool! Thanks Alexander and Rob, this was a starting point I needed. Our challenge is tying IPA and our inventory system of record together for audit, when hostnames are not always consistent, so I was hoping to write something using the IPA libraries to handle the discovery in an automated way.
Thanks -Andrew On Wed, Mar 26, 2025 at 2:38 PM Rob Crittenden <rcrit...@redhat.com> wrote: > Alexander Bokovoy via FreeIPA-users wrote: > > On Срд, 26 сак 2025, Andrew Nelson via FreeIPA-users wrote: > >> How would one go about scripting the updating of host attributes in IPA > >> such as MAC address form the host itself. Ideally I would love to use > >> the > >> host kerberos key and never need a user credential, but I'm unsure of > how > >> to start this. > >> > >> Can the IPA command line utility use the host kerberos key to perform > >> host-mod activities? Likewise, can the python libraries leverage the > >> host > >> kerberos key? If so, how does one start? > > > > # kinit -k > > # ipa host-show `hostname` --rights --all | grep attributelevelrights > > ... > > > > Look at 'attributelevelrights' line, each element in that dictionary > > describes what rights your Kerberos principal (in this case machine > > account) has for each attribute. If you do not see an attribute, you > > don't have write rights for sure. > > > > # ipa host-mod `hostname` --macaddress=.... > > > > this will fail because machine's account has no rights to write to > > macaddress attribute: > > > > # kinit -k > > # ipa host-mod `hostname` --macaddress=AA:BB:CC:DD:EE:FF > > ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the > > 'macAddress' attribute of entry > > 'fqdn=m1.ipa1demo.test,cn=computers,cn=accounts,dc=ipa1demo,dc=test'. > > > > There is a system permission 'System: Modify Hosts' that allows write to > > macaddress and other attributes but it is not assigned by default > > because it gives more rights than required. In particular, it gives > > right to write to 'objectClass' attribute which is the core of LDAP > > object system. macAddress attribute is only allowed if LDAP object > > includes an object class that permits the attribute. FreeIPA API knows > > which objectclass needs to be added and attempts to add it automatically > > and it will fail if no permission to write to 'objectclass' attribute is > > granted. However, allowing applications to write to 'objectclass' means > > they can transform that entry into something else. It is not something > > you'd want, at least for hosts. > > > > So you need to create a special permission that handle this case. > > I am unable to create one on the fly, my brain is not working today... > > The root of the problem is that the macaddress attribute is not > available by default in a host but if it is set then the ieee802device > is added at the same time. > > I strongly agree with Alexander and wouldn't recommend hosts be able to > modify their own set of objectclasses. > > A workaround is to add the missing objectclass in advance: > > $ kinit admin > $ ipa host-mod --addattr objectclass=ieee802device client.example.test > > Then you can add a new permission: > > $ ipa permission-add "Hosts can modify their own MAC address" --right > write --type host --bindtype self --attrs macaddress > > Then you can do as Alexander suggested: > > # kinit -k > # ipa host-mod $(hostname) --macaddress 00:11:22:33:44:55 > > There is no way to change the default objectclasses for hosts in > configuration like there is with users and groups. You'd need to write a > short plugin to inject it into a host as the host is created. For > existing hosts you'd need to do them one at a time. > > rob > >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
